search

ArchGPT / insomnium

Insomnium is a fast local API testing tool that is privacy-focused and 100% local. For testing GraphQL, REST, WebSockets and gRPC. This is a fork of Kong/insomnia
MIT License
3.36k stars 139 forks source link

electron 25.2.0 has remote code execution (CVE-2023-4863) Security vulnerability #9

Closed Ilnore closed 10 months ago

Ilnore commented 10 months ago

Expected Behavior

Insomnium is vulnerable to a remote code execution security vulnerability, widely reported as CVE-2023-4863: https://github.com/advisories/GHSA-j7hp-h8jx-5ppr

Insomnium vulnerable through a vulnerable Electron version 25.2.0: https://github.com/ArchGPT/insomnium/blob/536e63acb3e0850c991912ecc41cd5165480ad12/packages/insomnia/package.json#L145

Actual Behavior

Unable to report this to security@archgpt.net - mailbox bounces with 'delivery failed'.

Reproduction Steps

No response

Is there an existing issue for this?

Additional Information

No response

Insomnium Version

All versions

What operating system are you using?

Other (specify below)

Operating System Version

All operating systems

Installation method

Haven't installed yet

Last Known Working Insomnium version

No response

archywillhe commented 10 months ago

Hi thanks for posting!

This is the same electron version that was used in Insomnia.

I will update this to 25.8.1 now where the vulnerability has been patched.

archywillhe commented 10 months ago

Alternatively next time you could just do a pull-request too to bump it to 25.8.1! Thanks!

archywillhe commented 10 months ago

oh.. and sorry there was typo in the mail address. It should actually be security@archgpt.dev. https://github.com/ArchGPT/insomnium/issues/8